Practices of Kubernetes Multi-tenant Clusters

What Is a Multi-tenant Cluster?

Multi-tenant Scenarios

1) Multi-tenant Sharing of Clusters Within an Enterprise

  • Cluster Administrator
  • Has cluster management capabilities, such as scaling and adding nodes.
  • Creates and allocates namespaces for tenant administrators.
  • Manages various policies, such as RAM, RBAC, network policies, and quotas.
  • Tenant Administrator
  • Has at least the RAM read-only permission for the cluster.
  • Manages the RBAC configurations of relevant personnel in the tenant.
  • Tenant User
  • Uses Kubernetes resources within the permitted range in the tenant namespace.

2) Multi-tenancy in SaaS and KaaS Service Models

Implementing a Multi-tenant Architecture

Access Control

Resource Scheduling

Protection of Sensitive Information


  • Enable the default security configuration for the Kubernetes cluster.
  • Enable RBAC to prohibit access from anonymous users.
  • Enable secret encryption to enhance the protection of sensitive information.
  • Perform security configuration based on CIS Kubernetes benchmarks.
  • Enable related admission controllers such as NodeRestriction, AlwaysPullImages, and PodSecurityPolicy.
  • Use PSPs to control the privileged mode in pod deployments and control the security context of pods while the pods are running.
  • Configure network policies.
  • Enable Seccomp, AppArmor, and SELinux for Docker runtime.
  • Try to achieve multi-tenant isolation for services such as monitoring and logging.
  • Use dynamic policy engines such as Open Policy Agent (OPA) for fine-grained access control at the network or object level.
  • Deploy a secure container for kernel-level isolation during container runtime.
  • Implement comprehensive multi-tenant isolation solutions for monitoring, logging, storage, and other services.



